Knowledge What are the Components of Zero Trust? Explaining the Best Security Technology Required for the IT Environment that is Becoming Increasingly Diverse at Overseas Offices

What is zero trust, a term we often hear in situations where we discuss security? First, let us talk about the characteristics and components of zero trust.

Zero trust is a new security concept (*1) advocated by Forrester Research in 2010. As its name suggests, the basic principle of zero trust is not trusting anyone or anything. In the traditional security model, it was conventional wisdom that users who have authenticated once in an internal network are trusted. A result, however, is the problem that attackers who have once broken into a network can freely commit a harmful act on the network. Zero trust is a new security concept developed to address this problem. By distrusting authentications and verifications carried out in the past and conducting strict authentication every time you access data without being concerned about the boundary between networks such as your in-house network and the Internet, the security of data itself is ensured. The zero trust model enables you to prevent illegal access to data and resources while containing attackers' malicious acts within the network. Consequently, the enterprise’s entire security system will be enhanced and thus protected from information leak and data breaches.

The zero trust model is a security framework for verifying all accesses within a trusted network to minimize the risk. The concept at the heart of the zero trust model is not to trust anyone or anything, and always verify data. The model comprises various components. According to the National Institute of Standards and Technology (NIST), the basic principles of zero trust (*2) are as follows:

• All data sources and computing services are considered resources.
• All communication is secured regardless of network location.
• Access to individual enterprise resources is granted on a per-session basis.
• Access to resources is determined by dynamic policy.
• The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
• All resource authentications and authorizations are dynamic and strictly enforced before access is allowed.
• The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, and uses it to improve its security position.

Components of zero trust must comply with these principles. The components of zero trust are as follows:

①   Endpoint (Device)
②   Network
③   Cloud
④   Identity (ID)
⑤   Workload
⑥   Visualization and Analysis
⑦   Automation

In the zero trust model, there is a need to take measures to ensure security of these components.

Also see the following article about zero trust.
* Related article: Does SASE Hold the Key to the Business!? (2nd article of 6 in total)

Zero trust contains many components, and security measures are necessary for each one. This section features an in-depth discussion of the components of zero trust.

An endpoint is a device to be connected to a network. In the zero trust model, only access from reliable devices must be permitted. The technologies for ensuring security of endpoints include the following:

• EPP (Endpoint Protection Platform)
• EDR (Endpoint Detection and Response)

An EPP is a solution that protects endpoints such as PCs and smartphones from malware. It is generally referred to as antivirus software.

EDR is a solution that monitors suspicious behaviors at endpoints, detects them in real time, and provides a quick response to them. EDR detects suspicious behaviors and deals with them on the assumption that malware has been spread to the endpoints. EDR is an effective countermeasure against unknown malware that cannot be handled by an EPP.

Also see the following article about endpoints.
* Related article: Roles of Endpoint Security in the Zero Trust Security Model

All communications need to be verified and protected in zero trust. The technologies that protect network security are as follows:

• SWG (Secure Web Gateway)
• SDP (Software Defined Perimeter)

An SWG is a proxy so users can access an external network securely. Access control based on the security policy is achieved by redirecting users' traffic to a remote server (e.g., cloud) and analyzing/filtering it.

An SDP is a technology that uses software to virtually realize a network boundary (perimeter) with software. It enables protection from threats that cannot be prevented at a physical boundary such as a conventional firewall.

Access to cloud services needs to be controlled strictly and permitted based on a dynamic policy. The major technologies that protect cloud security are as shown below. These two technologies should be selected according to the requirements for security protection, but adopting both will achieve the maximum effect.

• CASB (Cloud Access Security Broker)
• CSPM (Cloud Security Posture Management)

A CASB is a solution that functions as a security gateway located between a company’s on-premise environment and a cloud service. Appropriate control of access to the cloud is realized based on the company's security policy.

CASB is recommended for organizations that place importance on compliance and handle sensitive information, such as those in the financial and healthcare industries, and public offices. This solution is suitable for strictly controlling access to cloud services and conducting unauthorized access monitoring in order to establish a system to protect security and privacy.

CSPM is a solution that checks the current status of various systems on the cloud and verifies configuration errors and vulnerability to ensure security. This solution monitors and evaluates security settings for accounts and resources in a cloud environment.

As one of the best practices for cloud security, CSPM is particularly beneficial for any company and municipality that uses cloud services. It is especially effective for large companies and municipalities that can be affected by the occurrence of a security incident.

An identity (ID) refers to a user ID. An ID must be authenticated every time. Technologies for ensuring identity security include the following:

• IAM（Identity and Access Management）

IAM refers to management and authentication of IDs. IAM unifies management of IDs of users and devices, and controls access to in-company resources in accordance with the authority defined for each ID.

Workload is a general term for applications and services that are executed on a server or in a cloud environment, such as a virtual machine, web application, and database. The representative technology for protecting workload security is as follows:

• CWPP（Cloud Workload Protection Platform）

A CWPP is a solution for protecting workload security, including virtualized environments and containers in the cloud. Through detecting threats to workload and violations of the security policy, it reduces the risk of data leakage and unauthorized access.

In zero trust, it is important that every access and behavior be visualized and security be enhanced by analyzing that information. Well known technologies for visualization and analysis include the following:

• SIEM (Security Information and Event Management)
  
• CASB (Cloud Access Security Broker)

SIEM is a solution for intensively collecting, analyzing, and managing security-related information and events in applications and systems. It enables real-time monitoring and long-term visualization/analysis of log data.

A CASB features the ability to visualize behaviors and transactions of users in an organization when using cloud services, and detect fraudulent activities and dangerous behaviors. It allows users to visualize movement of and access to data in a cloud environment, apply the security policy, and detect unusual access.

Automation is a key component in the zero trust model and means automatic execution of tasks for ensuring security. Automation reduces tasks done by people and realizes more accurate and effective security operations. The technologies for automation in zero trust include the following:

• SIEM (Security Information and Event Management)
• SOAR（Security Orchestration, Automation, and Response）

SIEM also provides a feature for automation. It provides a system that analyzes data in real time and automatically detects abnormal behaviors and threats. It is also possible to send a notification automatically when an abnormality has been detected.

SIEM is suitable for organizations that are dedicated to monitoring, detection, response, and reporting of security incidents and require sophisticated security operations up to analysis. It is especially recommended for financial institutions, medical institutions, and government offices, which have stringent compliance requirements.

SOAR enables orchestration that strengthens information transfer among multiple security products or solutions, as well as automation of a series of security tasks and workflows. It therefore enables users to reduce manual tasks and improve the speed and accuracy of their work.

While SIEM focuses on monitoring, detection, response, and analysis of security incidents, SOAR is aimed at immediate response to security incidents and promotion of operation efficiency. Aiming at enhancing security and efficiency through a combination of SIEM and SOAR should be beneficial for any company regardless of the business sector.

Security technologies continually evolve, and the zero trust model is no exception. This section describes requirements for the new-generation zero trust model that will be required for overseas offices in the future.

Zero trust globally occupies an important place in the entire cyber security market and is growing dramatically. We expect continuous growth in demand for the zero trust model with increased adoption by companies’ cloud services, realization of DX, penetration of remote work, and threats of increasingly complex cyberattacks.

According to a report released by Report Ocean, a market research company (*3), the global market size of zero trust security is expected to grow consistently by more than 17.4% between 2021 and 2027, which will be approximately 60.25 billion U.S. dollars on economic scale. The zero trust security market is thought to be one of the areas that is continually growing on a global scale.

It is expected that the next-generation zero trust will need to meet the following new requirements.

As AI and machine learning become ever more capable, it is now technologically possible to detect abnormalities and apply automation to handle detected abnormalities. The use of automation and AI will be more and more important for attaining high efficiency of security operations and swift response to threats. Automation leads to greater efficiency of various security-related tasks, such as application of security policies, abnormality detection, and implementation of response processes. Through employing AI, on the other hand, you can learn patterns in network traffic and users' behaviors, and from large amounts of accumulated data, you can promptly detect and analyze abnormal behaviors and new threats. Taking advantage of the synergy between automation and AI enables you to take proper measures against cyberattacks, which are becoming more complex and malicious globally.

Enhancement of privacy protection is especially important. The zero trust model uses personally identifiable information in access control or authentication processes. It will be increasingly important in the future to properly protect confidential information and prevent unauthorized access and data leakage. In concrete terms, data encryption, management of data access logs, and data anonymization will become crucial.

At the same time, laws and regulations concerning privacy, such as General Data Protection Regulation (GDPR), are being strengthened. Therefore, companies and organizations that will adopt the zero trust model must comply with these laws and regulations. Such global trends could affect the corporate activities of our overseas offices.

To meet new zero trust requirements, not only technologies but also understanding and efforts of the entire organization including its overseas offices are absolutely essential. Remember, for example, that there are cases where the idea of security and culture differ from office to office abroad, so the response level could vary. For this reason, we need to provide unified education and training about the details and importance of the security policy, conduct a periodic security audit, constantly update members’ aware level, and maintain the same security level at each overseas office.

In terms of cyber security, we need to always grasp the latest situation and update technologies and policies so that we deal with continually evolving threats. More specifically, it is important to collect and analyze up-to-date threat information from threat intelligence, periodically investigate security patches in detail, and ensure continued improvement to security and the capacity to deal with new threats.

In this article, we discussed components of zero trust and zero trust requirements that overseas offices should meet in the future. KDDI is implementing support for attaining zero trust at overseas offices. If you’re unsure about how to put efficient security measures in place, please contact KDDI. Next, we will introduce the threats that using zero trust can prevent.